Description:
------------
Using a stock installation of PHP 5.2.6 (or 5.2.5 or 5.2.3) as an ISAPI module on Windows 2003 Standard Edition x32 (fully updated using Windows Update), if you pass a "wacky" value to strtotime the w3wp.exe (IIS Worker Pool) spikes to 99% and crashes the web server.
We accidentally used date("-24 hours") instead of strtotime("-24 hours") and then passed that (via some intermediary function calls) to strtotime.
It does not crash on Win2003 SE x64 (or any other operating system that we run this application on).
I am aware of other w3wp.exe bugs being reported but those do not seem to match this specific cause. Similarly, strtotime bugs don't seem to match.
Reproduce code:
---------------
echo strtotime(date("-24 hours"));
Expected result:
----------------
Return false or -1
(with the caveat that I know it's "bad code" on my part)
Actual result:
--------------
w3wp.exe crashes as soon as the page starts to load.
Watching in task manager on the web server, you can see w3wp.exe spike to 99% then stay there. If you kill the task the web server behaves oddly, generating "Service Unavailable" results to the end browser until the "World Wide Web Publishing Service" is restarted.

It hangs in this loop:
#1 0x00000000004a7f5b in do_normalize (time=0x7bf1ed0) at /home/jani/php-5.3CVS/ext/date/lib/tm2unixtime.c:166
166 do {} while (do_range_limit_days(&time->y, &time->m, &time->d));

[2008-08-20 19:24 UTC] krimpet at toolserver dot org

I can confirm this bug, and it's not limited to Windows platforms. 'php -r "strtotime('+1000000000000 days');"' crashes my Linux laptop, for example.
This bug is particularly dire where user input is fed to directly to strtotime(), as it poses a DoS risk - for example, we use strtotime() in MediaWiki to format times specified by the user. (See <https://bugzilla.wikimedia.org/show_bug.cgi?id=14898>.)

[2008-12-22 14:18 UTC] for-bugs at hnw dot jp

As well as other comments, php -r 'strtotime("20080101000000 Sunday");' never ends on PHP 5.2.8 and 5.3.0alpha3.

This bug has been fixed in CVS.
Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
Thank you for the report, and for helping us make PHP better.